Microsoft, Oracle Patches Lead Security Week

It was a week of patches that are sure to create some extra work for
administrators.
Microsoft broke its record for the most patches ever Oct. 12, releasing a
total of 16 security
bulletins to fix 49 vulnerabilities across its products. One of the fixes
patched a zero-day issue exploited by the Stuxnet worm. According to security
pros, the most critical updates, however, were the Internet Explorer bulletin
and a bulletin covering a vulnerability in the Embedded OpenType Font Engine.

Not to be outdone, Oracle
pushed out its final update of the year with 85 security fixes. Of the 85,
33 are focused on the Oracle applications suites, with the breakdown as
follows: six for Oracle e-Business, two for Oracle Supply Chain products, 21
for the Oracle PeopleSoft and JDEdwards suite, and four for the Oracle Siebel
suite.

Thirty-one of the vulnerabilities affect the Oracle Sun product suite
(Solaris), including 11 Oracle classified as remotely exploitable. There are
also eight fixes for Oracle Fusion Middleware, seven for the Oracle database,
one in Oracle Enterprise Manager Grid Control, one in the Oracle Primavera
suite and four for Oracle VM.
"This process should not be taken lightly," said Amichai Shulman,
co-founder and CTO of Imperva. "For
many organizations, the process of patching lasts a few months-mainly between three
to six months. DBAs [database administrators], system and IT admins, developers-all
these play a role in the patching process. As resources and time are
constrained, servers are left vulnerable for months after the release of a patch.
Of course, the addition of more patches to different parts of the system-such
as when MS patches pertain to servers-just adds complexity to the patching
process."
Facebook
appeared in the security news again this week, this time with a new feature
meant to protect user passwords. Facebook is gradually rolling out the ability
to text a one-time password to users
concerned about working on machines other than their normal computers, such
as public computers in hotels, cafes or airports.
"Simply text 'otp' to 32665 on your mobile phone, and you'll
immediately receive a password that can be used only once and expires in 20
minutes," blogged Jake Brill, product manager for Facebook's integrity
team. "In order to access this feature, you'll need a mobile phone number
in your account. We're rolling this out gradually, and it should be available
to everyone in the coming weeks."
Officials at McAfee, meanwhile, discussed their
"Security Connected" vision, outlining integration and management
plans across its portfolio. In addition, Microsoft released an update Security
Intelligence Report that named the United States
as home base for more than 2
million bot-infected PCs, while Sophos reported the United
States had retained its title as the top
spam-relaying nation in the world.
Rounding out the news, the Lower Merion
School District agreed to settle
litigation alleging it had used Webcams to spy on students. The district
settled the matter for $610,000, ending several
months of legal wrangling.